Previously when we were disconnecting a user there were few seconds
after which the cookie was still valid, so a reconnect would succeed
by the same user. This change ensures that a disconnected (via occtl)
user cannot re-use the same cookie to connect. That enables a safe
user removal from the authentication database, and from run-time.
Resolves: #59
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Capture all the required worker process state in a protobuf and
pass to worker via env. Snapshot all config files to ensure ocserv-sm
and ocserv-worker remain in sync. Split ocserv-worker functionality
into it's own executable with minimal dependencies.
Resolves: #285
Signed-off-by: Alan Jowett alanjo@microsoft.com
Export more information to the script, including client device platform,
type and user agent.
Resolves: #256
Signed-off-by: Alan Jowett <alanjo@microsoft.com>
When max-same-clients is set to 1 and a user re-using a cookie
connects, check_multiple_users() would prevent the user from
reconnecting. This corrects the issue by taking into account
only valid sessions that have not yet been disconnected.
Resolves: #223
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
That addresses the issue of not being able to run under systemd,
or under non-forking mode. Added test case to detect proper
operation.
Resolves#154
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
This eliminates race-conditions related to signal handling and potential
main/sec-mod desynchronizations related to cert/key pairs.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
This is done for testing purposes; allow test the maintenance
cycle without waiting for the necessary time.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
This provides virtualized server configurations which take
effect after client connection when client hello is received.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
That is, store:
* number of timed out sessions
* number of timed out due being idle sessions
* number of errored sessions
* total number of session handled (closed)
* total number of kbytes sent
* total number of kbytes received
* minimum MTU seen
* maximum MTU seen
* total authentication failures
* average/max authentication time (in secs)
* average/max session time (in minutes)
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
This option will set a script to be called once the user is
connected and provides a hostname to be used with his IP. That
script can be used to update a DNS server or so.
Relates #39
That checks whether the first packet received in the new session is valid
and if true, accept the new fd. This avoids the mess with validity detection
based on timeouts.
This change set eliminates the need for cryptographically authenticated
cookies and relies on sec-module providing accurate information on
the SID provided by the client.
That is, to allow referencing to these values from proc_st
without fearing of them being invalidated on a config reload. We
perform a cleanup of these values on the server periodic check.
We now use a common structure in SESSION_REPLY and AUTH_REP
messages. That structure is generated by sec-mod and forwarded
by main to worker, thus eliminating the need to create passing
code for each new user-config variable being added.
That allows to pass TLS information early, but more importantly
to pass information on the IP of the client (and our listen IP),
to main, which will be provided in turn to the up and down scripts,
as well as occtl.
